none
GPO not being applied to users. GPOTool shows sysvol mismatch between DCs.

    Question

  • Hello, 

    Trying to troubleshoot a GPO that is not applying to users, I ran GPOTool on my main DC (Win Server 2008 R2), I have two other DCs (Win Server 2008 R2) as well. The main DC is DCS01, the other two DCs are DCS02 and DCS03. The first time I ran GPOTool, the results showed a sysvol mismatch. I noticed the timestamp on the GPO on each server did not match, so I tried making a change to the GPO to see if that would get it update across all DCs. After making the change I ran GPOTool again and the timestamp for the GPO matched on all three DCs but it keeps showing an error. Here is the error:

    Policy {DBDAAE93-AC89-40C4-9C84-CD3513342690}
    Friendly name: U_Basic User Policy
    Error: DCS03.abc.xyz - DCS01.abc.xyz sysvol mismatch
    Details:
    ------------------------------------------------------------
    DC: DCS03.abc.xyz
    Friendly name: U_Basic User Policy
    Created: 8/2/2007 3:18:38 PM
    Changed: 6/27/2016 4:21:07 AM
    DS version:     30(user) 0(machine)
    Sysvol version: 30(user) 0(machine)
    Flags: 2 (user side enabled; machine side disabled)
    User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
    Machine extensions: not found
    Functionality version: 2
    ------------------------------------------------------------
    ------------------------------------------------------------
    DC: DCS02.abc.xyz
    Friendly name: U_Basic User Policy
    Created: 8/2/2007 3:18:38 PM
    Changed: 6/27/2016 4:21:04 AM
    DS version:     30(user) 0(machine)
    Sysvol version: 30(user) 0(machine)
    Flags: 2 (user side enabled; machine side disabled)
    User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
    Machine extensions: not found
    Functionality version: 2
    ------------------------------------------------------------
    ------------------------------------------------------------
    DC: DCS01.abc.xyz
    Friendly name: U_Basic User Policy
    Created: 8/2/2007 3:18:38 PM
    Changed: 6/27/2016 4:20:49 AM
    DS version:     30(user) 0(machine)
    Sysvol version: 30(user) 0(machine)
    Flags: 2 (user side enabled; machine side disabled)
    User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
    Machine extensions: not found
    Functionality version: 2

    As you can see, the error doesn't specify the sysvol versions on both DCs, it just says there's a mismatch. Any ideas how can I fix this?

    Any help is greatly appreciated! Thanks!

    Tuesday, July 05, 2016 1:59 PM

All replies

  • Hello,

    Can you please follow this:

    http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/

    If it was good for you, please mark it as asnwered.

    Thank you!

    Tuesday, July 05, 2016 2:31 PM
  • Thanks for your reply. 

    I checked the link you posted and my DCs do not show any DFS error messages in EventViewer, I don't think the fix mentioned in your link applies to my situation. 

    Tuesday, July 05, 2016 7:07 PM
  • Hi,

    Thanks for your post.

    First, I suggest you run the command below to check the replication between DCS03 and DCS01.

    repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*

    for more information about the command, you could refer to the article below.

    Verify Successful Replication to a Domain Controller

    https://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

    Did you configure security filtering or WMI filtering in the GPO?

    Here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/windows/en-US/31a8f8bd-3143-4516-93a2-607613ebf199/ad-sysvol-version-mismatch?forum=winserverGP

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 8:25 AM
    Moderator
  • Hi, thanks for taking the time to reply. 

    I ran the repadmin command and replication is successful, there were no errors. 

    WMI filtering is not configure on the GPO. Security filtering is set to the default, Authenticated Users. 

    The GPO still does not apply to anyone. 

    Wednesday, July 13, 2016 5:59 PM
  • Hi,

    What is the OS of client?

    I suggest you run gpresult /h C:\gpresult.html on client and post it to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 10:26 AM
    Moderator
  • you need to find the affected DC and do D2 restore pointing to non-affected one also check the sysvol permission

    some time the mismatch due to ad replication delay

    http://www.windowstricks.in/sysvol-interview-questions-and-answers

    http://www.windowstricks.in/2010/03/health-check-active-directory.html


    Regards www.windowstricks.in

    Monday, July 18, 2016 7:39 PM
  • Hi,

    What is the OS of client?

    I suggest you run gpresult /h C:\gpresult.html on client and post it to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    I guess I should have been more specific about my issue. My actual issue is that I made a change to an existing GPO that was already linked to an OU, but the setting I changed didn't get applied to users. I ran gpresult and the GPO shows up as applied in the results, but it keeps applying the old setting it had, not the new change I made to the GPO.

    Tuesday, July 19, 2016 2:48 PM
  • Hi,

    I suggest you run the command below on DCS03:

    Repadmin /showrepl DCS01

    Then, use the repadmin /showrepl to generate a spreadsheet for all replication partners to check the status of replication (last success time, last failure time, number of failures and last failure status)

    For detailed information, you could refer to the article below.

    https://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

    Or you could use Active Directory Replication Status Tool to check replication status of domain controller.

    Active Directory Replication Status Tool

    https://www.microsoft.com/en-us/download/details.aspx?id=30005

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 27, 2016 11:04 AM
    Moderator
  • Hi Jay, 

    I ran repadmin /showrepl and replication was succesful, there were no errors. I also ran dcdiag /a /c and all the tests were passed. 

    I also have the Active Directory Replication Status tool installed on my computer and there were no errors when I ran it. 

    I have checked EventViewer logs on all DCs and none present errors. 


    Friday, July 29, 2016 1:57 PM
  • Hi,

    I suggest you check the last time of replication between DCS01 and DCS03 with Active Directory Replication Status Tool.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 04, 2016 1:00 PM
    Moderator
  • Jay, 

    The last replication time was 10 minutes ago. Active Directory Replication Status Tool shows no errors. 


    Friday, August 05, 2016 8:49 PM